Threat Spotlight: Is Fireball Adware or Malware?


Recently, Fireball malware has garnered a lot of attention by claiming to have spread to 250 million computers. Upon execution, Fireball installs a browser hijacker as well as any number of adware programs. Several different sources have linked different indicators of compromise (IOCs) and varied payloads, but a few details remain the same.

But before this threat was called Fireball, it was labeled by most antivirus (AV) companies as ELEX adware. In this blog, we will be detailing the Fireball threat and many of the ways it presents in order to determine whether the threat is real and, if so, what can be done to block it.

Infection Vector

Fireball has almost always been found bundled with other software, but it’s bundled in such a way that the typical user would not be aware of it – this ‘hidden’ aspect, alone, makes it worthy of exploration.

The primary distributer of these bundles is a company named RafoTech. Their website is currently down following the release of the original blog by Checkpoint, and the command-and-control (C2) channel associated with that URL has also been taken offline. However, you can still find cached versions of the web page on WayBackMachine.

RafoTech has combined several advertising networks from PropellerAds to Dealply to reach the numbers reported. It is possible that bundles from any of these networks currently contains Fireball.

Figure 1: Ad Networks Used by RafoTech. (Image From Their Website.)


The installation phase is where much of the confusion originates. Once the bundled software is executed, one of many different payloads is installed. We have come across a few major packages, each containing various other adware programs such as QQBrowser, aMule P2P client, BiksQRSS an RSS client, and the list goes on. However, this adware is not what the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: